DATA PROTECTION LAW IN INDIA
This digital revolution has permeated India as well. Recognizing its significance, and that it promises to bring large disruptions in almost all sectors of society, the Government of India has envisaged and implemented the “Digital India” initiative.
With nearly 450 million Internet users and a growth rate of 7-8%, India is well on the path to becoming a digital economy, which has a large market for global players.
WE ARE WITNESSING A DATA REVOLUTION ACROSS THE WORLD
While the transition to a digital economy is underway, the processing of personal data has already become omnipresent. The reality of the digital environment today, is that almost every single activity undertaken by an individual involves some sort of data transaction or the other.
The Internet has given birth to entirely new markets: those dealing in the collection, organization, and processing of personal information, whether directly, or as a critical component of their business model.
“Uber‟, the world’s largest taxi company, owns no vehicles
Facebook‟, the world’s most popular media owner, creates no content
Alibaba‟, the most valuable retailer, has no inventory „
Airbnb‟, the world’s largest accommodation provider, owns no real estate
WHILE WE REAP ITS BENEFITS, PROTECTION OF DATA IS VITAL
While data can be put to beneficial use, the unregulated and arbitrary use of data, especially personal data, has raised concerns regarding the privacy and autonomy of an individual. This was also the subject matter of the landmark judgement of the Supreme Court, which recognized the right to privacy as a fundamental right.
Government of India has constituted a Committee of Experts to study various issues relating to data protection in India and suggest a draft Data Protection Bill. The objective is to “ensure growth of the digital economy while keeping personal data of citizens secure and protected.”
DATA PROTECTION WILL STEM FROM A LEGAL FRAMEWORK
Instrumentally, a firm legal framework for data protection will:
I. Keep personal data of citizens secure and protected
II. Act as the foundation on which data-driven innovation and entrepreneurship can flourish in India
A White Paper has been drafted on what shape a data protection law must take. The White Paper outlines the following:
• Issues that Committee members feel require incorporation in a law
• Relevant experiences from other countries and concerns regarding their incorporation
• Certain provisional views based on an evaluation of the issues vis-à-vis the objectives of the exercise.
• Specific questions for the public.
EXPANDING SCOPE OF EXISTING DATA PROTECTION REGULATION
IT Act 2000, Section 43 : Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, to the person so affected.
KEY PRINCIPLES AROUND DATA PROTECTION IN INDIA
• The law must be technology agnostic. It must be flexible to take into account changing technologies and standards of compliance.
• The law must apply to both private sector entities and government. Differential obligations may be carved out in the law for certain legitimate state aims
• Consent is an expression of human autonomy. For such expression to be genuine, it must be informed and meaningful.
• Data that is processed ought to be minimal and necessary for the purposes for which such data is sought and other compatible purposes
• The data controller shall be held accountable for any processing of data, whether by itself or entities with whom it may have shared the data
• Enforcement must be by a high-powered statutory authority with sufficient capacity. This must coexist with appropriately decentralized enforcement mechanisms Deterrent penalties • Penalties on wrongful processing must be adequate to ensure deterrence.
GROUNDS ON WHICH GOVERNMENT CAN INTERFERE WITH DATA
Under section 69 of the IT Act, any person, authorised by the Government or any of its officer specially authorised by the Government, if satisfied that it is necessary or expedient so to do in the interest of sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign States or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, for reasons to be recorded in writing, by order, can direct any agency of the Government to intercept, monitor or decrypt or cause to be intercepted or monitored or decrypted any information generated, transmitted, received or stored in any computer resource. The scope of section 69 of the IT Act includes both interception and monitoring along with decryption for the purpose of investigation of cyber-crimes. The Government has also notified the Information Technology (Procedures and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, under the above section.
The Government has also notified the Information Technology (Procedures and Safeguards for Blocking for Access of Information) Rules, 2009, under section 69A of the IT Act, which deals with the blocking of websites. The Government has blocked the access of various websites.
Penalty for Damage to Computer, Computer Systems, etc. under the IT Act
Section 43 of the IT Act, imposes a penalty without prescribing any upper limit, doing any of the following acts:
1. accesses or secures access to such computer, computer system or computer network;
2. downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium;
3. introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network;
4. damages or causes to be damaged any computer, computer system or computer network, data, computer data base or any other programmes residing in such computer, computer system or computer network;
5. disrupts or causes disruption of any computer, computer system or computer network;
6. denies or causes the denial of access to any person authorised to access any computer, computer system or computer network by any means; (g) provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, rules or regulations made thereunder;
7. charges the services availed of by a person to the account of another person by tampering with or manipulating any computer, computer system, or computer network, he shall be liable to pay damages by way of compensation to the person so affected.
8. destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means;
9. steel, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any computer source code used for a computer resource with an intention to cause damage.
TAMPERING WITH COMPUTER SOURCE DOCUMENTS AS PROVIDED FOR UNDER THE IT ACT, 2000
Section 65 of the IT Act lays down that whoever knowingly or intentionally conceals, destroys, or alters any computer source code used for a computer, computer programme, computer system or computer network, when the computer source code is required to be kept or maintained by law for the time being in force, shall be punishable with imprisonment up to three years, or with fine which may extend up to Rs 2,00,000 (approx. US$3,000), or with both.
COMPUTER RELATED OFFENCES
Section 66 provides that if any person, dishonestly or fraudulently does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to Rs 5,00,000 (approx. US$ 8,000)) or with both.
PENALTY FOR BREACH OF CONFIDENTIALITY AND PRIVACY
Section 72 of the IT Act provides for penalty for breach of confidentiality and privacy. The Section provides that any person who, in pursuance of any of the powers conferred under the IT Act Rules or Regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned, discloses such material to any other person, shall be punishable with imprisonment for a term which may extend to two years, or with fine which may extend to Rs 1,00,000, (approx. US$ 3,000) or with both.
The relationship between the data service providers and individuals must be a fiduciary relationship. It must be a consent based processing, i.e. consent must be taken in prior. And to prevent abuse of power by service providers, law must establish some basic obligations towards individuals, i.e.
1. The obligation to process data fairly and reasonably.
2. Implementation of rules and policies as regard to the processing of data.
3. The obligation to serve notice to the individual at the time of collecting data.
4. For maintaining transparency with regard to the processing of such data
5. And to take measures to protect the interests of individual against misuse of data and ensure Right to Privacy.